-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS 1.3 failed when set the groups_list of server and client to "brainpoolP512r1:X25519" #21157
Comments
Could you please try 3.0.9 version on the server? There were some fixes in regards to brainpool groups. |
I try 3.0.9, 3.1.0 and master version on the server,all failed with same error. |
If the client sends us a group in a key_share that is in our supported_groups list but is otherwise not suitable (e.g. not compatible with TLSv1.3) we reject it. We should not ask for that same group again in a subsequent HRR. Fixes openssl#21157
Fix in #21163 |
Hmm, somehow the 1.1.1 version is also affected.
vs. the client I've built from my features branch: https://github.com/bernd-edlinger/openssl/tree/openssl-111-features
As you can see the the client tries to negotiate tls1.2 or tls1.3 |
also completely weird what happens if I use 1.1.1 as client and server:
again, the server sends the invalid HRR:
but this time it is accepted by the client and the TLS1.3 protocol is negotiated,
|
Another scenario Server Configuration: Client Configuration: Server error log: OpenSSL 3.X,brainpoolP512r1 is not allowed on TLS 1.3,in the above scenario,Can I expect TLS 1.2 to be negotiated? |
Yeah, I see what you mean. |
Version negotiation and group negotiation are separate logical steps. Although in theory we could fallback to tls-1.2 in case both sides support both tls-1.3 and tls-1.2 but do not have intersecting group for tls-1.3, it would not be a good idea to do so. We had similar requests before and they were rejected. |
If the client sends us a group in a key_share that is in our supported_groups list but is otherwise not suitable (e.g. not compatible with TLSv1.3) we reject it. We should not ask for that same group again in a subsequent HRR. Fixes #21157 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21163) (cherry picked from commit 7a949ae)
If the client sends us a group in a key_share that is in our supported_groups list but is otherwise not suitable (e.g. not compatible with TLSv1.3) we reject it. We should not ask for that same group again in a subsequent HRR. Fixes #21157 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #21163) (cherry picked from commit 7a949ae)
Issue Description:
TLS 1.3 failed when set the groups_list of server and client to "brainpoolP512r1:X25519"
Server Configuration:
OpenSSL version: 3.0
groups_list:"brainpoolP512r1:X25519"
tls_version: TLSv1_3
Client Configuration:
OpenSSL version: 1.1.1n
groups_list:"brainpoolP512r1:X25519"
Server error log:
0A000417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
Client error log:
141BD06C:SSL routines:tls_parse_stoc_key_share:bad key share
Root cause:
Unsupported group are incorrectly added to key_share of HelloRetryRequest.
In Hello_Retry_Requset, selected group is brainpoolP512r1 in key_share.
The text was updated successfully, but these errors were encountered: